#cloud-config

ssh_deletekeys: true

disable_root: false

users:
- name: root
  ssh_authorized_keys:
  - {{ ssh_key }}

- name: frappe
  ssh_authorized_keys:
  - {{ ssh_key }}

runcmd:
- mkdir /etc/ssh/auth_principals
- sed -i 's/^(#)?X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?MaxAuthTries.*/MaxAuthTries 6/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?PermitEmptyPasswords.*/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?PermitUserEnvironment.*/PermitUserEnvironment no/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?ClientAliveInterval.*/ClientAliveInterval 300/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?Banner.*/Banner \/etc\/login.warn/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?MaxStartups.*/MaxStartups 10:30:60/g' /etc/ssh/sshd_config
- sed -i 's/^(#)?MaxSessions.*/MaxSessions 10/g' /etc/ssh/sshd_config
- curl https://frappecloud.com/files/ca.pub > /etc/ssh/ca.pub && chmod 644 /etc/ssh/ca.pub
- systemctl restart sshd
- su - frappe -c "cd /home/frappe/agent && env/bin/agent setup config --name {{ server.name }} --workers 2"
- su - frappe -c "cd /home/frappe/agent && env/bin/agent setup authentication --password {{ agent_password }}"
- su - frappe -c "htpasswd -Bbc /home/frappe/agent/nginx/monitoring.htpasswd frappe {{ monitoring_password }}"
- supervisorctl restart all
{% if server.doctype == 'Database Server' %}
- systemctl daemon-reload
- systemctl restart mariadb
- systemctl restart mysqld_exporter
{% endif %}
{% if server.provider == 'OCI' %}
- iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
- sed -i 's/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/#-A INPUT -j REJECT --reject-with icmp-host-prohibited/g' /etc/iptables/rules.v4
{% endif %}

write_files:
- path: /etc/systemd/system/statsd_exporter.service
  permissions: "0644"
  content: |
    {{ statsd_exporter_service | indent(4) }}

- path: /etc/filebeat/filebeat.yml
  content: |
    {{ filebeat_config | indent(4) }}

- path: /etc/ssh/auth_principals/frappe
  defer: true
  content: |
    all-servers
    {{ server.name }}

- path: /etc/ssh/sshd_config
  append: true
  content: |
    TrustedUserCAKeys /etc/ssh/ca.pub
    AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u

{% if server.doctype == 'Database Server' %}
- path: /etc/mysql/conf.d/frappe.cnf
  content: |
    {{ mariadb_config | indent(4) }}

- path: /etc/systemd/system/mariadb.service.d/memory.conf
  content: |
    {{ mariadb_systemd_config | indent(4) }}

- path: /etc/systemd/system/mysqld_exporter.service
  content: |
    {{ mariadb_exporter_config | indent(4) }}
{% endif %}

swap:
  filename: /swap.default
  size: 1073741824

{% if server.doctype == 'Server' %}
packages:
 - earlyoom
{% endif %}
